aws iam create-role: Create an IAM Role for CI
Create an IAM role, including the OIDC trust policy GitHub Actions assumes.
aws iam create-role creates a role defined by a trust policy (--assume-role-policy-document). For modern CI, that trust policy authorizes GitHub's OIDC provider to assume the role - so workflows get short-lived credentials with no static keys. Permissions are then attached separately.
Common flags
--role-name- the role name (required)--assume-role-policy-document file://trust.json- the trust policy (required)--description- a human-readable description--max-session-duration- max assumed-session length in seconds--permissions-boundary- cap the role's effective permissions
Example in CI
Create a role whose trust policy allows GitHub OIDC.
shell
aws iam create-role --role-name github-deploy --assume-role-policy-document file://github-oidc-trust.jsonCommon errors in CI
- An error occurred (EntityAlreadyExists) - a role with that name already exists
- MalformedPolicyDocument - trust JSON invalid or missing the OIDC Condition
- An error occurred (AccessDenied) - principal lacks iam:CreateRole
- OIDC AssumeRole fails later - sub/aud Condition does not match the repo/branch
Key takeaways
- The trust policy (--assume-role-policy-document) controls who can assume the role.
- For GitHub Actions, trust the token.actions OIDC provider, scoped by sub to repo/branch.
- create-role sets trust only; attach permission policies separately.
Related guides
aws sts assume-role: Assume an IAM Role in CIaws sts assume-role returns temporary credentials for a target role, enabling cross-account deploys. Learn th…
aws sts get-caller-identity: Verify AWS Auth in CIaws sts get-caller-identity returns the account, user, and ARN for the current credentials. Use it to verify…
aws configure: Set Credentials and Region in CIaws configure sets AWS CLI credentials, region, and profiles. Learn the flags, a CI example, and why pipeline…